A blog about reverse engineering, mathematics, politricks and some more ...

Sunday, June 02, 2013

Analogies, Piracy, Attribution, and the law of unintended consequences

I learnt a few interesting lessons this week...

I was honored to invited as a keynote speaker at SOURCE Dublin 2013, which was held on the 23rd/24th of May. Given that I had nothing technical to speak about, and given that keynote talks are not supposed to be technical, I needed to come up with an entertaining topic related to IT security.

A few weeks earlier, I had watched Dave Aitel give an interview on TV somewhere, and he had said a particular sentence that I found thought-inducing: He compared the hiring of computer security folks by the DoD to "building a new Navy" that will control the trade routes of the future, the internet.

I found the thought interesting, and decided that I will see how far I can stretch this sentence. When thinking about the internet as the ocean, one is half a step away from the word "Pirates". And boy, everybody loves hearing about Pirates - the topic is rich in historical sources of dubious veracity and colorful lore. Clearly, I had found a great way to entertain the audience for 50 minutes.

So I used this as an excuse to buy and read some books on the history of piracy, and managed to construct what I immodestly think is a great piece of entertainment - a talk that manages to engage the audience, draw parallels between the early Boucaniers and Hackers (it's always good to flatter the audience a bit), comment on how the Boucaniers turned into Privateers, and generally get people to dream a bit. (Slides)

While flattering the audience is good and well, I also wanted to get the audience to question something they believe in. With everybody arguing about the evils of government-tolerated industrial espionage, I wanted to tell the audience that one country's criminal is often another country's hero - so what better way to draw a parallel between today's attackers and 16th-century Britain, an upcoming power attempting to gain the upper hand against almighty Spain.

All in all, I gave the talk (somewhat nervously), and I think I managed to engage and entertain the audience. I was quite happy with how it went, particularly because I was extremely nervous about having to give a presentation with no technical verifiable truth in it.

I had expected the talk to be an entertaining diversion, with little real relevance. Now, some very surprising things happened after the talk:

First, a number of people took the talk way too seriously, attempting to derive policy recommendations from my very tenuously constructed analogy. Analogies are great for examining a problem - given something unknown, there are few more interesting activities than to construct different analogies and then reason about where they fit and where they do not fit. Thus, they are great tools for understanding and examining - while being dangerously bad for prediction and policy advice.

Secondly, a different set of people begun arguing that the analogies are flawed because at some lower level of abstraction they break down ("I can't use the internet to turn sewage into shrimp, hence the internet can't be like an ocean"). I had difficulty understanding the effort and emotion people put into finding places where the analogy breaks down - given that I had meant it as entertaining, they seemed to me like the guy in a superhero movie that complains that some action scene was unrealistic.

Then something else happened that caught me completely off-guard: Pretty exactly one week after my presentation went online, the NYT published an op-ed contributed by JC Hirsch and Sam Adelsberg titled "An Elizabethan Cyberwar" - which was clearly strongly inspired by my keynote, down to individual details of my constructed analogies. The article takes the Britain/Spain analogy, mentions the deniability afforded to the British Crown by the privateering constructs that I had highlighted, and then proceeds to provide policy advice based on this.

I was stunned - first off, that something I had constructed for entertainment would end up inspiring an NYT op-ed a week later and secondly, that people are really trying to construct advice from it.

To clarify: I used Dave's analogy of "the internet as sea" and constructed the analogy to the Spanish Main as a form of entertainment, something to discuss over a glass of wine - not as something that should be used to draw any real-life lessons about the internet, or about cyberwarfare.

So what real-life lessons did I learn through this ? A good analogy is like a good joke: It is impossible to contain, travels fast, and can have surprising unintended consequences. Also, everybody is so desperate to understand "the internet" that the path from "small conference talk in Dublin" to "heavily influencing a NYT op-ed" is short. This highlights how little we understand technology's impact, and how much even tenuously constructed analogies fill an emotional need. Finally, as for good jokes and cyber attacks, attribution for good analogies seems hard - selfishly, I would have really liked a footnote to the op-ed.

Update: It seems analogies are like 0days - often discovered by multiple parties in parallel, confusing anyone who wants to do attribution :-). It seems the authors of the NYT op-ed had developed these ideas independently prior to my talk, and just delayed the publication of the article due to current events. They were not influenced in any way by my keynote. :-)

About Me

I like simple things. And complex things. And drinking beer with people like Fyodor Yarochkin.
I like South America. And some parts of Asia, specifically Kuala Lumpur.
I like French. I like Spanish. I'd like to like more languages.